The kerberos server admins have to add you a host key, they then give
you that key and you put it in a keytab file on your client. I.e. they
a "kadmin addprinc -pw somepassword host/[EMAIL PROTECTED]"
and give you the result to put in a keytab file.
Doing this ensures you can ask the server to send you something
encrypted with your key. If you don't do this, your kerberos
authentication is spoofable by anyone who can intercept traffic
between you and the kerb server.
So actually, you have to ask them for the host key :) Ask
them - they should give you one.
No there isn't a nob to turn it off, that would be insecure.
Personally, how we do it here on this campus is we have an https
secured web page (https://password.srv.ualberta.ca/krb/) that we allow
any campus LAN admin types to log into and get a principal created or
modified that is of the form
host/[EMAIL PROTECTED] How your campus
kerberos admins choose to do this I wouldn't know, sorry, you'll have
to break down and ask them.
-Bob
* Donald J. Ankney <[EMAIL PROTECTED]> [2006-10-24 14:27]:
>
> On Oct 24, 2006, at 12:29 PM, Bob Beck wrote:
>
> >
> > Did you give the wee beastie a host key on your kerberos server?
> >both ssh and /bin/login will attempt to verify a host key against
> >the server so that your kerberos server isn't getting spoofed.
>
>
> I think this is the place where I'm running into problems. Checking
> my authlog, I find:
>
> krb5-or-pwd: verify: Server not found in Kerberos database
>
> The next problem is that I don't control the server (I'm trying to
> authenticate my departmental server against the university-wide
> kerberos server). I'll dig into google on that one, but on a
> conceptual note, don't I just need to have their key stored on my
> client and not vice versa? This should be a one-way trust (me
> trusting them, not vice-versa), right? Or are there security
> implications that I'm not understanding with Kerberos?
>
>
--
#!/usr/bin/perl
if ((not 0 && not 1) != (! 0 && ! 1)) {
print "Larry and Tom must smoke some really primo stuff...\n";
}
